break agent key lifetime protocol and allow other contraints for key usage.

4 files changed, 33 insertions, 23 deletions

diff --git a/usr.bin/ssh/authfd.c b/usr.bin/ssh/authfd.c
index 0f84e321cf9..b16bc470b6f 100644
--- a/usr.bin/ssh/authfd.c
+++ b/usr.bin/ssh/authfd.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: authfd.c,v 1.51 2002/06/05 21:55:44 markus Exp $");
+RCSID("$OpenBSD: authfd.c,v 1.52 2002/06/15 00:01:36 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -552,7 +552,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
 }
 
 int
-ssh_lifetime_identity(AuthenticationConnection *auth, Key *key, u_int life)
+ssh_contrain_identity(AuthenticationConnection *auth, Key *key, u_int life)
 {
 	Buffer msg;
 	int type;
@@ -562,21 +562,22 @@ ssh_lifetime_identity(AuthenticationConnection *auth, Key *key, u_int life)
 	buffer_init(&msg);
 
 	if (key->type == KEY_RSA1) {
-		buffer_put_char(&msg, SSH_AGENTC_LIFETIME_IDENTITY1);
-		buffer_put_int(&msg, life);
+		buffer_put_char(&msg, SSH_AGENTC_CONTRAIN_IDENTITY1);
 		buffer_put_int(&msg, BN_num_bits(key->rsa->n));
 		buffer_put_bignum(&msg, key->rsa->e);
 		buffer_put_bignum(&msg, key->rsa->n);
 	} else if (key->type == KEY_DSA || key->type == KEY_RSA) {
 		key_to_blob(key, &blob, &blen);
-		buffer_put_char(&msg, SSH_AGENTC_LIFETIME_IDENTITY);
-		buffer_put_int(&msg, life);
+		buffer_put_char(&msg, SSH_AGENTC_CONTRAIN_IDENTITY);
 		buffer_put_string(&msg, blob, blen);
 		xfree(blob);
 	} else {
 		buffer_free(&msg);
 		return 0;
 	}
+	buffer_put_char(&msg, SSH_AGENT_CONTRAIN_LIFETIME);
+	buffer_put_int(&msg, life);
+
 	if (ssh_request_reply(auth, &msg, &msg) == 0) {
 		buffer_free(&msg);
 		return 0;
diff --git a/usr.bin/ssh/authfd.h b/usr.bin/ssh/authfd.h
index 263e4b97d68..e3ef6ff5e1e 100644
--- a/usr.bin/ssh/authfd.h
+++ b/usr.bin/ssh/authfd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authfd.h,v 1.26 2002/06/05 21:55:44 markus Exp $	*/
+/*	$OpenBSD: authfd.h,v 1.27 2002/06/15 00:01:36 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -46,9 +46,11 @@
 #define SSH_AGENTC_LOCK				22
 #define SSH_AGENTC_UNLOCK		        23
 
-/* set key lifetime */
-#define	SSH_AGENTC_LIFETIME_IDENTITY1		24
-#define	SSH_AGENTC_LIFETIME_IDENTITY		25
+/* constrain key usage */
+#define	SSH_AGENTC_CONTRAIN_IDENTITY1		24
+#define	SSH_AGENTC_CONTRAIN_IDENTITY		25
+
+#define	SSH_AGENT_CONTRAIN_LIFETIME		1
 
 /* extended failure messages */
 #define SSH2_AGENT_FAILURE			30
@@ -73,7 +75,7 @@ int	 ssh_get_num_identities(AuthenticationConnection *, int);
 Key	*ssh_get_first_identity(AuthenticationConnection *, char **, int);
 Key	*ssh_get_next_identity(AuthenticationConnection *, char **, int);
 int	 ssh_add_identity(AuthenticationConnection *, Key *, const char *);
-int	 ssh_lifetime_identity(AuthenticationConnection *, Key *, u_int);
+int	 ssh_contrain_identity(AuthenticationConnection *, Key *, u_int);
 int	 ssh_remove_identity(AuthenticationConnection *, Key *);
 int	 ssh_remove_all_identities(AuthenticationConnection *, int);
 int	 ssh_lock_agent(AuthenticationConnection *, int, const char *);
diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c
index 716f6f66bc7..7235110ad7b 100644
--- a/usr.bin/ssh/ssh-add.c
+++ b/usr.bin/ssh/ssh-add.c
@@ -35,7 +35,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-add.c,v 1.57 2002/06/10 17:36:23 stevesk Exp $");
+RCSID("$OpenBSD: ssh-add.c,v 1.58 2002/06/15 00:01:36 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -165,7 +165,7 @@ add_file(AuthenticationConnection *ac, const char *filename)
 		fprintf(stderr, "Could not add identity: %s\n", filename);
 
 	if (ret == 0 && lifetime != 0) {
-		if (ssh_lifetime_identity(ac, private, lifetime)) {
+		if (ssh_contrain_identity(ac, private, lifetime)) {
 			fprintf(stderr,
 			    "Lifetime set to %d seconds for: %s (%s)\n",
 			    lifetime, filename, comment);
diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c
index d3da35e4075..d40a9409b93 100644
--- a/usr.bin/ssh/ssh-agent.c
+++ b/usr.bin/ssh/ssh-agent.c
@@ -35,7 +35,7 @@
 
 #include "includes.h"
 #include <sys/queue.h>
-RCSID("$OpenBSD: ssh-agent.c,v 1.91 2002/06/11 05:46:20 mpech Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.92 2002/06/15 00:01:36 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@@ -466,15 +466,13 @@ send:
 }
 
 static void
-process_lifetime_identity(SocketEntry *e, int version)
+process_contrain_identity(SocketEntry *e, int version)
 {
 	Key *key = NULL;
 	u_char *blob;
-	u_int blen, bits, death;
+	u_int blen, bits, death = 0;
 	int success = 0;
 
-	death = time(NULL) + buffer_get_int(&e->request);
-
 	switch (version) {
 	case 1:
 		key = key_new(KEY_RSA1);
@@ -489,9 +487,18 @@ process_lifetime_identity(SocketEntry *e, int version)
 		xfree(blob);
 		break;
 	}
+	while (buffer_len(&e->request)) {
+		switch (buffer_get_char(&e->request)) {
+		case SSH_AGENT_CONTRAIN_LIFETIME:
+			death = time(NULL) + buffer_get_int(&e->request);
+			break;
+		default:
+			break;
+		}
+	}
 	if (key != NULL) {
 		Identity *id = lookup_identity(key, version);
-		if (id != NULL && id->death == 0) {
+		if (id != NULL && id->death == 0 && death != 0) {
 			id->death = death;
 			success = 1;
 		}
@@ -703,8 +710,8 @@ process_message(SocketEntry *e)
 	case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
 		process_remove_all_identities(e, 1);
 		break;
-	case SSH_AGENTC_LIFETIME_IDENTITY1:
-		process_lifetime_identity(e, 1);
+	case SSH_AGENTC_CONTRAIN_IDENTITY1:
+		process_contrain_identity(e, 1);
 		break;
 	/* ssh2 */
 	case SSH2_AGENTC_SIGN_REQUEST:
@@ -722,8 +729,8 @@ process_message(SocketEntry *e)
 	case SSH2_AGENTC_REMOVE_ALL_IDENTITIES:
 		process_remove_all_identities(e, 2);
 		break;
-	case SSH_AGENTC_LIFETIME_IDENTITY:
-		process_lifetime_identity(e, 2);
+	case SSH_AGENTC_CONTRAIN_IDENTITY:
+		process_contrain_identity(e, 2);
 		break;
 #ifdef SMARTCARD
 	case SSH_AGENTC_ADD_SMARTCARD_KEY: